search

ghantoos / lshell

lshell is a shell coded in Python, that lets you restrict a user's environment to limited sets of commands, choose to enable/disable any command over SSH (e.g. SCP, SFTP, rsync, etc.), log user's commands, implement timing restriction, and more.
GNU General Public License v3.0
436 stars 112 forks source link

Aliased command calls the actual command when after a pipe #96

Closed brbrady closed 9 years ago

brbrady commented 9 years ago

example:

I have this aliases line in my config:

aliases : {'ssh': 'limited_user_teleport', 'awk': 'gawk'}

ben:~$ ssh usage: limited_user_teleport [-h] [-l [FILTER]] SERVER [COMMAND...] ben:~$ echo

ben:~$ echo | ssh usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] * ssh help message cut off -- you get the point *

While I understand that linux aliases only work at the beginning of the command, it seems like only one of the following should be true:

  1. I must add an alias to 'allowed' in order for it to be allowed
  2. Aliases are only aliases at the beginning of the command, failing over to use whatever is in PATH

This seems like a pretty big security flaw. I'll investigate more in the morning, maybe send a pull.

ghantoos commented 9 years ago

There was an error in the alias replacement function. It did not take the single pipe into account. Nice catch!